iCloud can help manage passwords, but it's not a complete password manager.

Share this story

In the latest versions of OS X and iOS, Apple's new iCloud Keychain provides one of the most important pieces of functionality for security-conscious users: a password manager.

Unfortunately, it's kind of a mess. iCloud Keychain does accomplish the most basic things you'd expect a password manager to do, but it often does so in an awkward manner. Important functionality is hard enough to find that it may be effectively hidden from the average user, particularly on iPhones and iPads.

Ultimately, iCloud Keychain can be put to good use if you've carefully examined what it does well and doesn't do well. It works best as a complement to a complete service like 1Password or LastPass, but it just isn't convenient and robust enough to act as a standalone password manager.

The short version is that iCloud Keychain does a good job of automatically entering passwords in websites on Apple's Safari browser, both with iOS devices and Macs. It does not work with any third-party browsers on OS X or iOS. It cannot fill in passwords on an iOS app unless the developer of that app has done some legwork to integrate with iCloud Keychain. Worse, it stores the passwords in an inconvenient location on iOS, making it hard to copy and paste passwords for those cases when iCloud Keychain can't automatically fill them in. Finally, it lacks some of the basic features that make standalone password managers more than just password managers, such as syncing of encrypted notes across both desktops and mobile devices.

Setting it up

iCloud Keychain is available in OS X Mavericks for Mac computers and iOS 7.0.3 for iPhones, iPads, and iPod Touches. When you set up any such device, you'll be asked if you want to use iCloud Keychain. With the first device, you'll choose either a four-digit numeric code or a complex password to secure the keychain. To add any subsequent device to iCloud Keychain, you can type in the passcode or approve the new device from a device that already runs the password manager.

You can also set up iCloud Keychain without any passcode or password. Apple states in a support document that this allows you to store passwords "only locally" on your devices, but it's clear from our tests that the system stores passwords in the cloud no matter what. The difference is that without a passcode there won't be a permanent backup of your keychain that you can restore if you happen to lose all of your Apple devices. You'll also have to approve any new device from an existing device, with no option to access the keychain with just the passcode. We covered this and other security aspects of iCloud Keychain in a previous article this week.

For myself, I don't mind storing some website passwords with iCloud, but I prefer to keep my most crucial credentials (banking, credit cards, etc.) in 1Password. But let's just say you want to trust all your passwords to Apple. How can you use iCloud Keychain effectively?

Work within Apple's limitations

First off, make sure you always use Safari. When you fill in passwords or create new Web accounts, iCloud Keychain will offer to save your passwords and create new, complex ones if you need them. While most password generators will let you change the default length and composition of the password, iCloud Keychain in Safari always makes passwords of 12 letters and numbers and three dashes:

Safari on Mac.

If you want a longer password, you'll have to come up with it yourself, which sort of defeats the purpose of having an automatic generator. But since iCloud Keychain will sync your password across devices, that's perhaps not a huge deal. You can just bang a bunch of random characters into the keyboard without worrying about remembering them.

Still, I prefer the 1Password approach better:

1Password Menubar tool.

If you want your passwords in iCloud Keychain to be automatically filled in on Safari on any Mac or iOS device you use, you'll have to click a couple of settings. In Safari on Mac, go to Preferences and then Passwords and click the box that says, "Autofill user names and passwords." If you want, also click the box next to, "Allow Autofill even for websites that request passwords not be saved."

As John Siracusa notes in the Mavericks review, "enabling this override requires that the Mac be configured to lock the screen when idle. Second, Safari still fails to auto-fill passwords on some websites, most notably Apple’s own icloud.com."

Once you get out of Safari, things become less convenient. On the Mac, 1Password has a standalone desktop application, a Menubar tool, and extensions for every major browser. That makes generating passwords and filling them in easy no matter what you're using.

iCloud Keychain's non-Safari functionality is found in the Mac's Keychain Access tool:

This is where you'd go if you need to copy a password to paste into a non-Safari browser or a desktop application. (You can also copy passwords into the Mac's clipboard from within Safari by going into Preferences and selecting the Passwords tab.) For example, let's open my Twitter password entry in Keychain Access:

If I click "Show password," I will be asked to enter my keychain password, which happens to be the same long passphrase I use to unlock my computer. If I enter that correctly, the Twitter password will become visible, and I can copy it. Somewhat frustratingly, clicking that lock on the bottom right opens up a password generator that lets you create passwords of arbitrary length and composition:

I say that it's frustrating because the same option doesn't appear in Safari, where it would be more useful.

iOS syncing limited to passwords, excludes secure notes

Let's switch gears and look at iOS. This is where iCloud Keychain starts to get simultaneously more useful and more frustrating.

Because of the restrictions Apple places on third-party applications for iOS, password managers can't automatically log you into websites on Safari. They can include a browser within their app, but not integrate with an iPhone's or iPad's default browser.

Apple is Apple, so it doesn't face those restrictions. iCloud Keychain is thus the only password manager to integrate with Safari on iOS (barring some jailbreak tweak I'm not aware of).

iCloud Keychain won't integrate with most third-party apps today, since developers have to add that integration themselves. "Developers can update their apps to work with iCloud Keychain," Apple says. "Passwords saved by those apps are then kept up to date on all devices that use the app and [are] running iOS 7.0.3 or later or OS X Mavericks v10.9 or later."

In Safari on iOS, iCloud Keychain works as well as it does on the Mac, filling in logins and helping you generate passwords for new ones. As on the Mac, you have to click some settings to make sure it works. Head into Settings/Safari/Passwords & Autofill and click "Names and Passwords" and "Always Allow."

The process of copying a password into the iOS clipboard so that it can be filled into an application other than Safari seems unnecessarily difficult to figure out. But if you go into Settings/Safari/Passwords & Autofill/Saved Passwords, click an entry, then type your phone's passcode, you'll see a list of logins in alphabetical order. There's no way to search the list, so just scroll until you find the entry you want, click it, and you'll see something like this:

There's no indication on the screen that the password can be copied, but if you hold your finger down on the user name or password, you'll receive that option. Unfortunately, you can't click on the website itself. After becoming accustomed to 1Password, I assumed clicking a website in a password manager's login list would automatically open the browser and fill in the login. With iCloud Keychain, that's not the case. You can't even copy the URL and paste it into Safari manually.

What's also frustrating is that the password entries don't contain any notes you might have made in your keychain entry on the Mac. In the screenshots earlier in this article, you can see iCloud Keychain on the Mac lets you add comments to individual logins or make standalone secure notes.

As we described in our article, "The secret to online safety: Lies, random characters, and a password manager," a strong personal security strategy may include making up nonsensical answers to security questions, which are too easy to break if you use standards like "Mother's maiden name." A good password manager will let you store any additional information you need for each login and sync it across both desktop and mobile. iCloud Keychain doesn't do that.

Useful, but not as useful as it should be

iCloud Keychain is indeed a useful addition to OS X and iOS, especially for people who use Safari across both operating systems. On iOS, iCloud Keychain fills the chief gap in third-party password managers—the lack of integration with Safari. For something that comes free with the operating system, that's a nice feature. Combined with the automatic password generator (despite its non-customizability), iCloud Keychain can help people who don't already use a password manager improve their defenses against hackers.

But in almost every other way, iCloud Keychain falls short of the functionality one expects from a paid password manager. The lack of cross-browser support, the password generator's limitations, the inconvenient locations of keychain information, and the failure to sync secure notes across desktop and mobile are all entries for the cons column. It's possible Apple will fill in all the gaps someday, but as of now, people who take security seriously aren't likely to find everything they want in iCloud Keychain.

One thing you don't mention is how (and if) it handles certificates, at least S/MIME, particularly with regards to iOS. That's one area that 3rd party managers fall completely flat in, and it's particularly important to make it more convenient if we want more people to do stuff like use encrypted email. iOS devices can have certificates loaded along with profiles using the free Configurator, and after initializing devices can even be managed entirely remotely or have updates securely sent to them via email. But while that's a better approach in a more serious security situation and is pretty straightforward for an admin or tech user, it'd be much more convenient and still much better then nothing if the process could be further automated via iCloud sync. Then adding a cert for johndoe@email.com on one system would automatically add it to every system. Public certs received should work the same way, it shouldn't be necessary to do the current cumbersome manual add required on iOS rather then having it automatically stored and distributed. That doesn't even have any security concerns since they're public anyway.

iCloud Keychain falls short of the functionality one expects from a paid password manager.

And for this exact reason it's a good thing it is free. I can't help but think that if it did, in fact, completely supplant paid password managers we'd be hearing complaints about how Apple had "Sherlocked" the password management market instead of complaints about a lack of functionality.

On a different note, It would be really nice to have some more detailed information about how iCloud Keychain is storing passwords since everything I've been able to find strongly suggests that Apple can decrypt an iCloud keychain at any time. The main thing that makes me believe this is that I can access plaintext passwords on an iOS device by entering that device's unlock code (PIN). This seems to inherently mean that Apple is able to decrypt my keychain from my Mac (which uses a MUCH stronger password than a 4-digit PIN) and re-encrypt it using my iOS PIN, and that they therefore can decrypt my passwords at any time. With everything that is going on in the US right now, Apple (or Google, or Microsoft, or Yahoo, or really any major tech company) having direct access to any and all passwords is not a very comforting thought. Is there something that I'm missing here?

Because of the restrictions Apple places on third-party applications for iOS, password managers can't automatically log you into websites on Safari. They can include a browser within their app, but not integrate with an iPhone's or iPad's default browser.

This is the reason I've pretty much stopped using 1Password and am using iCloud Keychain now.

1Password is slightly better on Mac OS but much, much worse on iOS.iCloud Keychain is slightly worse on Mac OS but much, much better on iOS.

Overall, iCloud Keychain, while less capable, is much more convenient for me, so I'm using it.

I would, however, be very interested in a detailed, under-the-hood look at how secure iCloud Keychain is compared to other popular password managers, specifically 1Password. Also what assurances of privacy we can have based on its design and implementation.

The main thing that makes me believe this is that I can access plaintext passwords on an iOS device by entering that device's unlock code. This seems to inherently mean that Apple is able to decrypt my keychain from my Mac (which uses a MUCH stronger password than a 4-digit PIN) and re-encrypt it using my iOS PIN.

What you described isn't inherently open to Apple (but I'm not saying that in reality that isn't the case). I'm not entirely sure how Apple does it, but let me propose one way that this could be possible (I'm not a cryptographer, so don't use this):

1. Let's say that your computer generates a random string of bits, k.2. Your iCloud password is then used by a cryptographically secure hash function H (such as scrypt) to generate a key, ka. Thus H(password) = ka. Do note that H must not be the same as the function iCloud's servers use to authenticate you.3. Your answers to your security questions 1-3 are used by a cryptographically secure hash function H (such as scrypt) to generate keys kb - kd. Again, they should NOT store the answers to the security questions.4. Simply use exclusive or (XOR) to generate ka' from k XOR ka, kb' from k XOR kb, and so on.5. Those ka' - kd' are stored in iCloud. The only way to get the original key, k is to XOR one of those with either the hashed iCloud password or the hashed answers to your security questions. Since Apple (and no one else, presumably) has those, they would be unable to decrypt your data.

Now a mobile device can work in much the same way as a computer would to access the data. Getting k is as simple as H(password) XOR ka'... and using a pin to lock it could presumably just use the exact same type of method described above.Use H(pin) to make kp ... k XOR kp = kp' and hold on to kp' and forget k.To unlock the keychain, you don't have to redownload ka', Just use kp' XOR H(pin) and you'll have k again.

Of course there's a lot of considerations that I'm oversimplifying but I think it's reasonably close to a scheme that keeps Apple from knowing how to access your keychain. I'd probably also make sure that you use different H functions all around (or use a hash function that allows for different parameters such as "salts" and such to differentiate ka' - kd' as much as possible). But again, I'm not a cryptographer. I'm certain a scheme similar to the one above is listed somewhere that has been verified by cryptographers, so research that if you're actually trying to do this stuff.

Edit:TBH though, one issue with this is that Apple *could* listen in on you entering your password when they authenticate you (if you're paranoid, this means an attacker could, in theory, infiltrate Apple's authentication process to steal your password and, ultimately, your iCloud keychain). The only way to potentially avoid this is if the authentication scheme involves you hashing your password prior to sending it to Apple who rehashes it once again to finally authenticate you. Does Apple do this? I find that doubtful but it's possible to do.

Seems fine to me. I already use 1Password, and once I figure out how to export some logins to my keychain, I'll setup iCloud Keychain so I don't have to copy paste passwords in 1Password for iOS anymore.

It's possible Apple will fill in all the gaps someday, but as of now, people who take security seriously aren't likely to find everything they want in iCloud Keychain.

I "take security seriously" and there are certain passwords I will store in Keychain that I will not trust to 1Password or LastPass.

The cumbersome nature of accessing keychain data is due to the way it implements security. It is a lot easier to steal passwords from 1Password or LastPass than Keychain.

Both 1Password and LastPass allow anyone with access to my computer to tap a few keys and see the plaintext version of all my passwords. Keychain doesn't allow that, it will fill passwords for you but displaying them requires you to enter your master password again. Yes, my Mac does prompt for login when it wakes from sleep... but I work in a shared office and if someone really wanted they could get to my 1Password or LastPass database (I use both of them) but they can't get to anything in keychain.

Keychain also uses the private key of a software developer to lock down which individual keychain items can be accessed by that app. So Mail.app can see my Gmail password, and Xcode can see my Apple Developer Account password, but they cannot see each other's password without me entering my master password and granting once off or indefinite permission.

I'm more familiar with Keychain on the mac, where you're wrong about it being limited to Safari. There is a public API for keychain and any third party app can use it. It's just that Google and Mozilla choose not to, there are other Mac browsers that do and certainly many third party mac apps use the keychain (I've written a couple).

I don't know what the state of keychain's API is on iOS, but if it's not already as good as on OS X I'm sure it'll improve soon. Give it a couple of OS versions.

everything I've been able to find strongly suggests that Apple can decrypt an iCloud keychain at any time. The main thing that makes me believe this is that I can access plaintext passwords on an iOS device by entering that device's unlock code (PIN). This seems to inherently mean that Apple is able to decrypt my keychain from my Mac (which uses a MUCH stronger password than a 4-digit PIN) and re-encrypt it using my iOS PIN, and that they therefore can decrypt my passwords at any time. With everything that is going on in the US right now, Apple (or Google, or Microsoft, or Yahoo, or really any major tech company) having direct access to any and all passwords is not a very comforting thought. Is there something that I'm missing here?

I don't think it works that way.

My understanding is your phone has a strong public/private keypair. It encrypts the private key using a combination of your 4 digit pin (which is weak) and the hardware key embedded in the CPU or motherboard (which is a strong and kept in a section of memory that can be read by decryption circuits but cannot be read by anything else). It uploads the public key to apple's server, and apple distributes the public key to all your other iOS devices and mac/etc.

Then, your mac encrypts the data with the public key, uploads it to apple's server, and your iOS device downloads it and decrypts it.

Your iOS device can decrypt keychain passwords using a 4 digit pin but no other hardware device anywhere in the world can do so, because they don't have the device's hardware key. Also, the hardware in your iOS device that can read the key has been deliberately crippled to make brute force difficult. It's not using the A7 CPU to perform the decryption, it's using a custom chipset that is painfully slow (although not slow enough to make a 4 digit pin very strong).

In addition, if you buy an iPhone 5S... you can switch to using a strong alphanumeric password and use the finger print sensor to unlock the phone, which is a lot more secure than a 4 digit pin code.

Biggest problem with iCould keychain for me is that it syncs WiFi network settings between my Macbook and iPhone. I have a citywide WiFi account that I only use with my laptop while at work. Normally when I'm away from home I use only 4G on my phone. But now my phone is constantly trying to get on the city wireless and it's kind of annoying (because I'm on the bus or something so it's constantly getting dropped, etc)

Yes, it's certainly up to Apple to improve its password manager. And I hope they do.- But I also hope that more companies that provide third-party software will be integrating their browsers/apps with the iCloud Keychain.

Both 1Password and LastPass allow anyone with access to my computer to tap a few keys and see the plaintext version of all my passwords. Keychain doesn't allow that, it will fill passwords for you but displaying them requires you to enter your master password again.

You can configure LastPass to require the master password before it shows a password. You can set this for all passwords or for individual passwords. And then there is the two-factor option and the option to log out after a set period of time.

I don't know why you are expecting iCloud Keychain to function like, or even be a password manager application...???

That's not really its intent. It's a solution for everyday users to NOT have to manage their passwords. You're looking for features and functions of an advanced application for a completely different audience.

I have to enter my master passphrase (diceware 'phrase') into lastpass to see my passwords. Thought that was the default, but I may have set it to do that early on. It is a pain, but necessary I think.

Back on topic, can icloud import passwords? There are some, such as my password for Ars, which importing into icloud wouldn't be such a big deal.

In both Mac (and iOS) I would like searchability, better alphabetical ordering (as in iOS), additional columns for adding other site-specific profile/financial data (like what address, phone nor is on file w/site), and synced secure notes (I found the S.N. feature recently while moving much of my mac's legacy keychain data into, and then cleaning-up, the iCloud folder automatically populated with the data from my iPhone and iPads. It would be useful to be able to access this data from an iOS device - maybe via VPN or BtMM.)

I think it important that keychain stop being so polite and ignore website and app requests not to suggest or store or autofill data. By Apple taking its lead from websites, or apps, keychain becomes a clumsy 80% solution and forces users to either keep a much smaller crib sheet or use a easy to remember password across multiple sites.

This seems a decent first start, but feels a bit like the incomplete launch of a apple maps.

I don't really care if because Apple comes up with a refined iCK that it is accused of sherlocking. (If they want to avoid that they could always buy the leader and integrate it into iOS/OS X, either way, security is one of Apple's tent poles and they need to build-out this functionality.)

I've used Keychain syncing from MobileMe/.Mac/iTools and I was really pissed when they removed it from iCloud. I'm actually quite pleased with the way it functions, like it did before they removed it with the added suggestion of password generation in Safari.

I think they could have improved Keychain with the release of Mavericks but again no complaints really.

I use mSecure for everything that's not in Keychain, because they have an app for Android, Windows, Mac and iOS. I would not be surprised if Google added support in Chrome for iOS and Mac just so they can save a copy of your passwords for themselves... Google only plays nice when they have some data gain.

Apple always tries to hit somewhere between easy of use and feature complete. iCloud Keychain will never compete with 1Password or other types of managers. For example, I make up answers to my security questions and store those answers in 1Password. You can't do that with iCloud Keychain.

However, if iCloud Keychain encourages people to use different passwords for different websites, and not to use passwords like sw0rdf1sh or password123, it will go a long way to making things a bit more secure for the average user. I will still use 1Password, but iCloud Keychain is heading in the right direction.

iCloud Keychain falls short of the functionality one expects from a paid password manager.

And for this exact reason it's a good thing it is free. I can't help but think that if it did, in fact, completely supplant paid password managers we'd be hearing complaints about how Apple had "Sherlocked" the password management market instead of complaints about a lack of functionality.

On a different note, It would be really nice to have some more detailed information about how iCloud Keychain is storing passwords since everything I've been able to find strongly suggests that Apple can decrypt an iCloud keychain at any time. The main thing that makes me believe this is that I can access plaintext passwords on an iOS device by entering that device's unlock code (PIN). This seems to inherently mean that Apple is able to decrypt my keychain from my Mac (which uses a MUCH stronger password than a 4-digit PIN) and re-encrypt it using my iOS PIN, and that they therefore can decrypt my passwords at any time. With everything that is going on in the US right now, Apple (or Google, or Microsoft, or Yahoo, or really any major tech company) having direct access to any and all passwords is not a very comforting thought. Is there something that I'm missing here?

"Is there something that I'm missing here?"

Maybe you would like an iPhone with a fingerprint sensor? Wink wink, nudge nudge.

EDIT:I completely misread your comment skimming too fast, thought you meant that you were uncomfortable with the same passwords that you keep protected by a strong password on the mac be only a 4 digit iPhone unlock away from being compromised, which would have made what I said much funnier

You don't have to open Keychain access on the Mac to view your passwords.

From the Apple Support site:

Macs using OS X Mavericks v10.9 or later:Go to Safari > Preferences and select the Passwords tab.Select "Show passwords for selected sites."Enter your system password.Select a website on the list to view its password.

The short version is that iCloud Keychain does a good job of automatically entering passwords in websites on Apple's Safari browser, both with iOS devices and Macs. It does not work with any third-party browsers on OS X or iOS.

Is that really a big deal? Okay so it's a reason why you may not want to use it right now, but like most new features Apple creates it's really just a matter of adoption by Mac apps. I know Chrome uses the OS X Keychain for passwords, so it can still auto-fill passwords for you, even if it can't create them, but with a few tweaks it should be able to add password creation without too much trouble. iCloud Keychain is really just an extension of all the existing keychain tools that OS X has had for a long time now, and which apps should really be using anyway.

Quote:

It cannot fill in passwords on an iOS app unless the developer of that app has done some legwork to integrate with iCloud Keychain.

Although I haven't done any work with keychain on iOS, surely it's exactly the same issue here? An app just needs to ask for details from a user's keychain, which is something they could be doing already, at which point iCloud Keychain is already supported for filling passwords, and needs only a minor extension for creating them.

Again, this is a reason to not just immediately stop what you were doing before and jump feet first into iCloud Keychain, but as a platform capability it's one that developers are bound to take advantage of over time.

Quote:

Worse, it stores the passwords in an inconvenient location on iOS, making it hard to copy and paste passwords for those cases when iCloud Keychain can't automatically fill them in.

Keychain Access isn't much friendlier on the OS X side of things, but again, in Apple's world you shouldn't need to copy/paste these passwords, as apps should move to natively support keychain password management, at which point you don't need to copy/paste a password every again. Not being able to do it for the time being is annoying, but it's another transition issue that will be resolved in time; the alternative would be releasing a Keychain Access app for iOS to use in the mean-time which, sure, Apple should probably have done, but would ultimately become obsolete again.

Quote:

Finally, it lacks some of the basic features that make standalone password managers more than just password managers, such as syncing of encrypted notes across both desktops and mobile devices.

Is this even a genuine criticism? It also doesn't send e-mail or make you toast; it's simply not what the feature is for. If you want to sync notes then that's the domain of Notes, so if Apple want to do encrypted notes then that's the place to do it, not in a password manager.

Don't get me wrong, it's great that password managers can do these things with the same standard of security they use for passwords, but it's not really a password management feature at all, just a bundled extra that Apple can (and should) cover in a more appropriate place.

The one feature missing that really impedes my work flow is that, unlike 1password, it can't handle more than one user per Web site. For example, I have several different gmail accounts all at the same base URL and the iCloud Keychain only saves the last login.

Which is kinda strange because the ability to pick among several options *is* in iCloud Keychain. When you want to fill in a credit card it can display all the saved ones.

You don't have to open Keychain access on the Mac to view your passwords.

From the Apple Support site:

Macs using OS X Mavericks v10.9 or later:Go to Safari > Preferences and select the Passwords tab.Select "Show passwords for selected sites."Enter your system password.Select a website on the list to view its password.

This review boils down to the statement that Apple’s password feature fails because it doesn’t replace a third party application that sells for $50. At least you didn’t complain about the price this time.

One feature of icloud keychain that I haven't seen get any press is wifi password syncing. It's pretty handy, if you've connected to a wifi access point with a password, that password is synced across all your devices syncing on icloud, and they will automatically join that network when they see it. It also allows you to reset your network settings on an iphone or ipad, and not lose your saved wifi passwords, which otherwise is a bit of a pain.

One feature of icloud keychain that I haven't seen get any press is wifi password syncing. It's pretty handy, if you've connected to a wifi access point with a password, that password is synced across all your devices syncing on icloud, and they will automatically join that network when they see it. It also allows you to reset your network settings on an iphone or ipad, and not lose your saved wifi passwords, which otherwise is a bit of a pain.

The one feature missing that really impedes my work flow is that, unlike 1password, it can't handle more than one user per Web site. For example, I have several different gmail accounts all at the same base URL and the iCloud Keychain only saves the last login.

Which is kinda strange because the ability to pick among several options *is* in iCloud Keychain. When you want to fill in a credit card it can display all the saved ones.

Maybe in version two.

It won't give you a pop up list like Safari on Mac does, but if you start typing a username that is saved, it will eventually recognize that you want that particular account, and offer to fill those credentials, instead of the last used ones.

The one feature missing that really impedes my work flow is that, unlike 1password, it can't handle more than one user per Web site. For example, I have several different gmail accounts all at the same base URL and the iCloud Keychain only saves the last login.

Which is kinda strange because the ability to pick among several options *is* in iCloud Keychain. When you want to fill in a credit card it can display all the saved ones.

Maybe in version two.

It won't give you a pop up list like Safari on Mac does, but if you start typing a username that is saved, it will eventually recognize that you want that particular account, and offer to fill those credentials, instead of the last used ones.

Excellent! Very counter intuitive and not so great as you have to remember your various user names, but better than nothing. Too bad they can't do like Safari on the Mac.

It's a first release. Apple is king of iterating. It will get better over time.I'm sure Safari integration is just the first step, and that they'll add all the nice extras (notes etc) over time.I think it'll really kick into high gear once *all* of Apple's devices (MacBooks, wireless keyboards, iPhones, iPads, iPods) have TouchID sensors built-in. Everything will be accessible with a simple swipe of your finger.

Both 1Password and LastPass allow anyone with access to my computer to tap a few keys and see the plaintext version of all my passwords. Keychain doesn't allow that, it will fill passwords for you but displaying them requires you to enter your master password again. Yes, my Mac does prompt for login when it wakes from sleep... but I work in a shared office and if someone really wanted they could get to my 1Password or LastPass database (I use both of them) but they can't get to anything in keychain.

I use 1Password, since version 1, and while it is true you can see the password easily once the app is open, the app has MANY security features to disable viewing by locking 1Password. You can designate a time frame, on sleep, when the window is closed, etc.

Also, the browser plugins and the new menu bar password tool will not show a password, only allow you to create one or insert one. And they idle out as well. To SEE the password, you MUST open the full app, which again, requires a master password to get into.

Re: other browsers not supporting iCloud Keychain - they could perfectly well have used the Keychain for passwords ever since OS X came out - Camino always did, for example. It's Mozilla's and Google's decision not to use the Keychain.

Jon, you should change your Amazon password, etc. if you have not done so since taking the screenshots and applying the mosaic filter. The exact shades and arrangement of the resultant tiles is deterministically linked to the original text, and demonstrably recoverable, for example:http://tlrobinson.net/blog/2008/10/reco ... oshop-cs3/Blur is no good either, for the same reason. Completely obscure it.

It's possible Apple will fill in all the gaps someday, but as of now, people who take security seriously aren't likely to find everything they want in iCloud Keychain.

I "take security seriously" and there are certain passwords I will store in Keychain that I will not trust to 1Password or LastPass.

The cumbersome nature of accessing keychain data is due to the way it implements security. It is a lot easier to steal passwords from 1Password or LastPass than Keychain.

Both 1Password and LastPass allow anyone with access to my computer to tap a few keys and see the plaintext version of all my passwords. Keychain doesn't allow that, it will fill passwords for you but displaying them requires you to enter your master password again. Yes, my Mac does prompt for login when it wakes from sleep... but I work in a shared office and if someone really wanted they could get to my 1Password or LastPass database (I use both of them) but they can't get to anything in keychain.

Maybe I'm misunderstanding you here, but if someone knows your account password, they can also view the passwords stored in your keychain. Keychain Access prompts you for your account password when you click on "show password". So in a way, Keychain Access is less secure than the others because the others allow you to use a different master password to what you use for your system account.

Or have you found a way to change the master password in Keychain Access? I'm very curious, I never thought it was possible to change it. (Note that I'm not using Mavericks, so perhaps something has changed?)